package Auth_test import ( "bytes" "encoding/base64" "encoding/json" "io/ioutil" "log" "net/http" "net/http/cookiejar" "net/http/httptest" "net/url" "testing" "time" "git.tovijaeschke.xyz/tovi/Capsule/Backend/Api" "git.tovijaeschke.xyz/tovi/Capsule/Backend/Api/Auth" "git.tovijaeschke.xyz/tovi/Capsule/Backend/Database" "git.tovijaeschke.xyz/tovi/Capsule/Backend/Database/Seeder" "git.tovijaeschke.xyz/tovi/Capsule/Backend/Models" "github.com/gorilla/mux" ) func Test_ChangePassword(t *testing.T) { log.SetOutput(ioutil.Discard) Database.InitTest() r := mux.NewRouter() Api.InitAPIEndpoints(r) ts := httptest.NewServer(r) defer ts.Close() userKey, _ := Seeder.GenerateAesKey() pubKey := Seeder.GetPubKey() p, _ := Auth.HashPassword("password") u := Models.User{ Username: "test", Password: p, AsymmetricPublicKey: Seeder.PublicKey, AsymmetricPrivateKey: Seeder.EncryptedPrivateKey, SymmetricKey: base64.StdEncoding.EncodeToString( Seeder.EncryptWithPublicKey(userKey.Key, pubKey), ), } err := Database.CreateUser(&u) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } session := Models.Session{ UserID: u.ID, Expiry: time.Now().Add(12 * time.Hour), } err = Database.CreateSession(&session) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } jar, err := cookiejar.New(nil) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } url, _ := url.Parse(ts.URL) jar.SetCookies( url, []*http.Cookie{ { Name: "session_token", Value: session.ID.String(), MaxAge: 300, }, }, ) d := struct { OldPassword string `json:"old_password"` NewPassword string `json:"new_password"` NewPasswordConfirm string `json:"new_password_confirm"` PrivateKey string `json:"private_key"` }{ OldPassword: "password", NewPassword: "password1", NewPasswordConfirm: "password1", PrivateKey: "", } jsonStr, _ := json.Marshal(d) req, _ := http.NewRequest("POST", ts.URL+"/api/v1/auth/change_password", bytes.NewBuffer(jsonStr)) req.Header.Set("Content-Type", "application/json") client := &http.Client{ Jar: jar, } resp, err := client.Do(req) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } if resp.StatusCode != http.StatusNoContent { t.Errorf("Expected %d, recieved %d", http.StatusNoContent, resp.StatusCode) return } u, err = Database.GetUserById(u.ID.String()) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } if !Auth.CheckPasswordHash("password1", u.Password) { t.Errorf("Failed to verify the password has been changed") } } func Test_ChangePasswordMismatchConfirmFails(t *testing.T) { log.SetOutput(ioutil.Discard) Database.InitTest() r := mux.NewRouter() Api.InitAPIEndpoints(r) ts := httptest.NewServer(r) defer ts.Close() userKey, _ := Seeder.GenerateAesKey() pubKey := Seeder.GetPubKey() p, _ := Auth.HashPassword("password") u := Models.User{ Username: "test", Password: p, AsymmetricPublicKey: Seeder.PublicKey, AsymmetricPrivateKey: Seeder.EncryptedPrivateKey, SymmetricKey: base64.StdEncoding.EncodeToString( Seeder.EncryptWithPublicKey(userKey.Key, pubKey), ), } err := Database.CreateUser(&u) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } session := Models.Session{ UserID: u.ID, Expiry: time.Now().Add(12 * time.Hour), } err = Database.CreateSession(&session) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } jar, err := cookiejar.New(nil) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } url, _ := url.Parse(ts.URL) jar.SetCookies( url, []*http.Cookie{ { Name: "session_token", Value: session.ID.String(), MaxAge: 300, }, }, ) d := struct { OldPassword string `json:"old_password"` NewPassword string `json:"new_password"` NewPasswordConfirm string `json:"new_password_confirm"` PrivateKey string `json:"private_key"` }{ OldPassword: "password", NewPassword: "password1", NewPasswordConfirm: "password2", PrivateKey: "", } jsonStr, _ := json.Marshal(d) req, _ := http.NewRequest("POST", ts.URL+"/api/v1/auth/change_password", bytes.NewBuffer(jsonStr)) req.Header.Set("Content-Type", "application/json") client := &http.Client{ Jar: jar, } resp, err := client.Do(req) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } if resp.StatusCode != http.StatusUnprocessableEntity { t.Errorf("Expected %d, recieved %d", http.StatusUnprocessableEntity, resp.StatusCode) } } func Test_ChangePasswordInvalidCurrentPasswordFails(t *testing.T) { log.SetOutput(ioutil.Discard) Database.InitTest() r := mux.NewRouter() Api.InitAPIEndpoints(r) ts := httptest.NewServer(r) defer ts.Close() userKey, _ := Seeder.GenerateAesKey() pubKey := Seeder.GetPubKey() p, _ := Auth.HashPassword("password") u := Models.User{ Username: "test", Password: p, AsymmetricPublicKey: Seeder.PublicKey, AsymmetricPrivateKey: Seeder.EncryptedPrivateKey, SymmetricKey: base64.StdEncoding.EncodeToString( Seeder.EncryptWithPublicKey(userKey.Key, pubKey), ), } err := Database.CreateUser(&u) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } session := Models.Session{ UserID: u.ID, Expiry: time.Now().Add(12 * time.Hour), } err = Database.CreateSession(&session) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } jar, err := cookiejar.New(nil) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } url, _ := url.Parse(ts.URL) jar.SetCookies( url, []*http.Cookie{ { Name: "session_token", Value: session.ID.String(), MaxAge: 300, }, }, ) d := struct { OldPassword string `json:"old_password"` NewPassword string `json:"new_password"` NewPasswordConfirm string `json:"new_password_confirm"` PrivateKey string `json:"private_key"` }{ OldPassword: "password2", NewPassword: "password1", NewPasswordConfirm: "password1", PrivateKey: "", } jsonStr, _ := json.Marshal(d) req, _ := http.NewRequest("POST", ts.URL+"/api/v1/auth/change_password", bytes.NewBuffer(jsonStr)) req.Header.Set("Content-Type", "application/json") client := &http.Client{ Jar: jar, } resp, err := client.Do(req) if err != nil { t.Errorf("Expected nil, recieved %s", err.Error()) return } if resp.StatusCode != http.StatusForbidden { t.Errorf("Expected %d, recieved %d", http.StatusForbidden, resp.StatusCode) } }